Nico's blog on all things VMware Cloud on AWS

Integrating AWS Directory Services with VMware Cloud on AWS

This short post will describe how to integrate AWS Directory Services with VMs running on VMware Cloud on AWS.

One of the many services AWS offer is a managed Microsoft Active Directory platform. As somebody with limited Microsoft AD experience, that sounds like something handy (Active Directory is not a skill I am intending to pick up).

The reason for me exploring this is that I wanted to attach the AWS Managed File Servers for Windows (FSx) to my Windows VMs running in VMware Cloud on AWS but FSx requires the use of the AWS AD.

I will walk you through how to use FSx with VMware Cloud on AWS in an upcoming post.

I went ahead and set up my AD and it was stupidly simple. Go the AWS Console, select Directory Service and let’s go:

AWS Directory Welcome PageSelect Directory Type

I went ahead and built an AWS Managed Microsoft AD.

Enter Directory Information

You can literally build the AD in minutes. In the end, I settled for the very original directory name of corp.local and an AD called ad.corp.local .

Choose the VPC and subnets (one per AZ) where you will deploy the AD

By default, the AD will be built across two availability zones (AZs) for resiliency. It takes about half an hour for the AD to be set up.

Security Control between VMware Cloud on AWS and native AWS services

I talked about in a previous post but in summary, for VMs in VMC to access a service in the VPC attached to the VMC infrastructure, you need to allow traffic across 2 firewalls:

The Compute Gateway (configured on the VMware Cloud console)

The Security Group(s) of the AWS resources you are trying to access from VMware Cloud

For the AWS Managed AD services to be accessed, you need to ensure the following traffic is allowed (as per the link below):

TCP/UDP 53 – DNS

TCP/UDP 88 – Kerberos authentication

UDP 123 – NTP

TCP 135 – RPC

UDP 137-138 – Netlogon

TCP 139 – Netlogon

TCP/UDP 389 – LDAP

TCP/UDP 445 – SMB

TCP 636 – LDAPS (LDAP over TLS/SSL)

TCP 873 – Rsync

TCP 3268 – Global Catalog

TCP/UDP 1024-65535 – Ephemeral ports for RPC

How to join the Domain

Once you have allowed the traffic across, you can follow the instructions on the AWS page (“Manually join a Windows Instance“). These instructions were written for an EC2 instance but they’re perfectly valid for VMware Cloud on AWS.

It’s straight-forward. First, you need to find the IP addresses of the AWS DNS servers on the Directory Details on the AWS console.

172.31.42.113 and 172.31.3.138 are my DNS servers

Then you need to specify on your Windows VM the DNS servers to be the managed AD’s IP addresses.

First, set up the DNS servers on your Windows machine

Verify that the DNS service works. Go to System Properties, click on Join a domain and enter your credentials and voila! You’re done!

Join the domain:And you’re done!

Thanks for reading .- you now know how to attach an AWS Managed Directory services to your VMware Cloud on AWS VMs (or to your EC2 instances -both your VMC VMs and your EC2 instances can join the same domain).